[Snort-users] Only *nix alerts?
erek at ...950...
Sun Apr 6 13:34:03 EDT 2003
On Sun, 6 Apr 2003, Keg wrote:
> Snort 1.9.1 on RH8
> I scan network segment protected with Snort using Nessus. I actually
> have scanned only 2 boxes on that network - one Linux box and one NT box.
> The alerts I see in Snort are almost all unix-related-namely: squid
> proxy attempt, scan proxy attempt 8080, tftp get password, snmp get
> alerts, ASF access, amanda version request, DDOS mstream, xdmp query,
> samba client access, etc
> I don't see any windows-related alerts, which should be produced in tons
> by nessus scanning., cause it runs a lot of windows-related test vuln
> 1. Why I don't see windows-related alerts, any ideas?
Lots of reasons, but none related to the OS.
* You're on a switched network, and Snort is running on the
Linux box. Unless the port is configed as a monitoring port, you'll never
see anything destined for the other box.
* You're using a 'auto sensing hub'. If you're using a 10/100
autosensing hub, then you've got one box at 10mb and the other at 100mb.
Those autosensing hubs have two 'sides'--One for 10mbs and one for 100mbs.
It keeps 100mb traffic on it's side, and keeps 10mbs traffic on it's side.
> 2. Generally speaking, nessus runs more than 1000 different scripts for
> vuln tests, should I see the similar number of UNIQUE alerts in snort?
> In my understanding, snort should be aware of the most atack attemts or
> queries nessus produces...
Not necessarily. Due to the way that rules work, if a three way handshake
isn't established it won't alert. Check the rules and find what rules you
are expecting to fire. Check them for 'flow: established, to_server'. I
bet you'll find that on quite a few of them.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users